Reading the Winds: The SEC’s Cybersecurity Program After SolarWinds
Cybersecurity is—or should be—the focus of growing concern among companies in all sectors of the economy. A serious breach, or even a hint of vulnerability, can cost a company millions, in direct costs, lost customer trust, and ultimately, lost value. Consequently, a company’s cybersecurity record is increasingly important to its market position and increasingly of interest to potential investors.
The SEC’s Cybersecurity Enforcement Effort
The SEC’s interest in and attention to cybersecurity risks has also increased. In 2022, the agency nearly doubled the size of its Crypto Assets and Cyber Unit and it has filed numerous enforcement actions for failing to disclose cybersecurity risks, including charges against J.P. Morgan, UBS Financial Services Inc., and Morgan Stanley Smith Barney. In March 2023, Blackbaud, Inc., paid a $3 million fine to settle charges alleging that its disclosures regarding a 2020 ransomware attack were misleading. And, in July 2023, the SEC implemented a new set of rules requiring public companies to disclose their cybersecurity risk management strategy and to report significant breaches promptly. Those rules presented new opportunities for potential whistleblowers with knowledge of cybersecurity failures or cybersecurity-related misrepresentations by public companies.
The passage of the rules was followed in very short order by an enforcement action against SolarWinds Corporation related to a serious breach of the company’s Orion network monitoring software in 2020. In a complaint filed in October 2023, the agency alleged that SolarWinds failed to address known cybersecurity vulnerabilities, made misleading disclosures that overstated the company’s preparedness and understated its vulnerabilities, and failed to disclose the full extent of the breach of its Orion software—an application relied on by 499 of the Fortune 500 and numerous government agencies.
SolarWinds
The SolarWinds complaint was comprehensive in its allegations of wrongdoing by the company and its Chief Information Security Officer (CISO), Timothy G. Brown. According to the complaint, the company and Mr. Brown misled investors by disclosing general, hypothetical risks when they knew of actual deficiencies and vulnerabilities in the company’s policies and practices; provided public risk statements that were directly contradicted by its internal assessments; failed to address known security issues; provided a Security Statement on its website that was riddled with materially misleading statements and omitted significant information; and filed a Form 8-K reporting the Orion breach that did not disclose the full extent or duration of the breach. These actions, the agency argued, amounted to violations of a half dozen different securities laws and regulations. The complaint was described by some commentators as “the SEC’s most aggressive use of its powers” in the cybersecurity context.
That aggressive approach was quickly reined in. In July 2024, Judge Paul Engelmayer in the Southern District of New York dismissed much of the SEC’s case in a careful decision that allowed some of the SEC’s case to proceed but cut off key claims. Essentially, the court considered the allegations into two groups: those related to false and misleading statements regarding cybersecurity before the breach, and those regarding disclosures after the breach.
The court allowed allegations regarding disclosures made on the company’s own website via its Security Statement, rejecting defendants’ claim that the statement was intended for customers, not investors, and so could not be subject to the securities laws. However, it dismissed claims related to statements made in blog posts, press releases, and podcasts as “corporate puffery.” It also dismissed the SEC’s claims with regard to the company’s Form S-1 disclosures before the breach, finding that the disclosure included sufficient detail to warn investors of the risks.
However, the court rejected all of the SEC’s claims regarding the company’s conduct after the breach. Contrary to the SEC’s reading of SolarWinds’ initial Form 8-K disclosure of the breach as misleading, Judge Engelmayer found that the form as a whole “captured the big picture: the severity of the SUNBURST attack.”
Finally, and perhaps most significantly, the court rejected a novel claim by the SEC. The agency charged SolarWinds with a violation of Section 13(b)(2)(B) of the Exchange Act, which requires corporations to maintain sufficient internal controls to protect assets, reasoning that the software was a corporate asset and SolarWinds had not sufficiently controlled access to it. Judge Engelmayer was not convinced. Section 13(b)(2)(B), he held, applied to financial controls, not to cybersecurity controls. Such an expansion of the definition, the court held, could not be reconciled with the statutory text.
The Lessons of SolarWinds
The SolarWinds decision has wide implications for the SEC’s cybersecurity program going forward, although it’s unclear how the lessons from SolarWinds will play out. Judge Engelmayer’s rejection of the agency’s novel internal control argument apparently closes that specific avenue of enforcement. The agency may take that decision as a cue to seek less-novel theories, or it may attempt to reshape the underlying theories and try again.
Two other parts of the decision offer clear lessons for whistleblowers.
First, Judge Engelmayer’s rejection of many of the post-breach disclosures appeared to be based on a distaste for Monday-morning quarterbacking. Where the SEC alleged incomplete disclosure of the full scope of the breach, Judge Engelmayer saw a “lengthy” form, filed just days after discovery of the breach, that conveyed the essential message and put investors on alert. By contrast, those claims that succeeded alleged repeated misleading statements in the calmer waters of a website Security Statement. A successful case will demonstrate a course of fraudulent or misleading statements made with deliberation.
Second, in allowing the case against SolarWinds Chief Information Officer to continue, the court highlighted the importance of knowledge and intent in the case. Who knew what, and how they acted on that knowledge, will be a key component of any successful SEC action.
SolarWinds does not mean that cybersecurity failures are off the table. The agency is still focusing on cybersecurity, and cybersecurity-based TCR forms are still both welcome and encouraged. It is, as yet, unclear exactly how the SEC will internalize the lessons of SolarWinds. But those who have knowledge of cybersecurity statements that intentionally mislead potential investors should report the conduct to the SEC Whistleblower Program with SolarWinds in mind.
MaryAnne Hamilton is an Attorney at the Miller Law Group
